Mobile device sensors can spy on you to steal PINs

Most people are aware that their smartphones aren't completely safe from hackers, but it turns out that they're even less safe than most people realise. According to a new study by Newcastle University, smartphones, portable games consoles, fitness trackers, and other smart mobile devices are vulnerable to malicious websites and installed apps that can use a device's various sensors to steal PINs and other data.

According to the team led by Dr Maryam Mehrnezhad, a Research Fellow in the School of Computing Science, there are about 25 sensors in the average smartphone. She says hackers can use these to study a user's behavior and deduce PINs and other information with an accuracy of 70 percent on the first attempt for four-digit PINs and 100 percent by the fifth try.

"Most smartphones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments including the gyroscope, proximity, NFC, and rotation sensors and accelerometer," says Mehrnezhad. "But because mobile apps and websites don't need to ask permission to access most of them, malicious programs can covertly 'listen in' on your sensor data and use it to discover a wide range of sensitive information about you, such as phone call timing, physical activities and even your touch actions, PINs and passwords.

"More worrying, on some browsers, we found that if you open a page on your phone or tablet which hosts one of these malicious code and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter. And worse still, in some cases, unless you close them down completely, they can even spy on you when your phone is locked."

The Newcastle study indicates that normal user actions, like clicking, scrolling, holding, tapping, and rotating a device can be detected by the array of sensors in the device and produce a distinct orientation and motion trace. This allows a skilled digital eavesdropper, like malware, to deduce where someone is on a page and what they are typing.

"It's a bit like doing a jigsaw – the more pieces you put together the easier it is to see the picture," says Dr Siamak Shahandashti, a Senior Research Associate in the School of Computing Science. "Depending on how we type – whether you hold your phone in one hand and use your thumb, or perhaps hold with one hand and type with the other, whether you touch or swipe - the device will tilt in a certain way and it's quite easy to start to recognize tilt patterns associated with touch signatures that we use regularly.

"So the internal sensors each provide a different bit of the jigsaw. Personal fitness trackers which you wear on your wrist and, by their very nature, are designed to track the movement of your hand and pass information to your online profile pose a whole new threat. Potentially, they are able to provide additional information which, when combined with this sensor data, will make it even easier to decipher personal information."

However, the Newcastle study says the problem goes beyond technological vulnerability. It also found that users have a poor understanding of the security threats they face and do not know what most of the sensors in their phones do. As a result, they are more concerned about the risks they can perceive, such as being being spied on by GPS or their phone's camera, rather than worrying about the compass or motion sensors.

The team says that though the industry is aware of security problems, there is currently no real solution. In light of the team's research, a partial fix has been developed by some mobile browser companies, such as Mozilla, Firefox, and Apple Safari, but a complete answer has yet to be found that would not mean effectively denying mobile browsers access to certain data altogether.

Meanwhile, for additional protection, it's recommended that users change PINs and passwords frequently, close background apps when not in use, uninstall unneeded apps, only use apps from approved app stores, and review permissions given to individual apps.